What is destroying my session cookie?

Author Message

Luis Cruz

Wednesday 26 September 2007 12:21:50 pm

Greetings; running eZ 3.6.11 and am trying to do the following. I have multiple domains each with its own language: foo.com serves up English and foo.de serves up German. We have special content that requires the user to login to access. We want them to be able to login on either site, but we also want to force them to use the English or German site based on their user type.

For example, user A logs into foo.com; their user type/group in eZ is "German User". They attempt to access http://foo.com/special/doc but are redirected to http://foo.de/special/doc. Currently, this interaction is working up to a point; users log in successfully and are redirected successfully. However, the session cookie appears to get destroyed access that login protected page; browsing to another login protected page requires logging in again.

Here are the technical details; first, I have this near the bottom of my pagelayout.tpl:

{beacon()}

This custom operator has the following code:

    function beacon()
    {
        $http =& eZHTTPTool::instance();
        $sessionID = $http->getSessionKey();

        // Salt, Obfuscate, Encrypt, and munge the session ID here...

        $beacon = <<<EOL
<img src="http://foo.com/beacon/(beid)/$sessionID" /><img src="http://foo.de/beacon/(beid)/$sessionID" />
EOL;
    	return $beacon;
    }

As you can see, the purpose of the operator is to embed an image from the various sites that one could log into and access. The image returned will also set a cookie for each site to synchronize the session IDs across the domains.

The code to return this beacon image is this:

include_once("kernel/common/template.php");
$Module =& $Params["Module"];
$Module->setTitle("SSO Beacon");

include_once( "lib/ezutils/classes/ezuri.php" );
$eZURI =& eZURI::instance();
$userParameters = $eZURI->userParameters();

// Was a "type" user parameter set?
if (array_key_exists("beid", $userParameters)) {
    // Pull the header text for the form from the override template
    $sessionID = $userParameters["beid"];

    // reverse the process for munging the session ID...
}

setcookie("eZSESSID" . $GLOBALS['eZCurrentAccess']['name'], $sessionID, time() + 60 * 60 * 24 * 365, "/");
header("Content-type:  image/gif");
readfile("/path/to/pixel.gif");

At the top of pagelayout.tpl is another custom operator that detects what page you are on and redirects you to the appropriate domain. Here is what happens when I step through the process.

1. Go to http://foo.com/user/login; I see that a cookie for foo.com (eZSESSIDen) and for foo.de (eZSESSIDde) is set. Both contain the same session ID value. The beacons (http://foo.com/beacon/(beid)/...) at the bottom of the page contain the same session ID value.

2. Login successfully; cookies and beacons for both domains still contain the same session ID value.

3. Access http://foo.com/special/doc but redirected to http://foo.de/special/doc. HTTP headers for the page hit and redirect show that the cookies sent and received all contain the same session ID value.

4. When http://foo.de/special/doc is finished loading, the .com cookie goes missing, and the beacons on the page all have the session ID set to 0.

5. Moving onto another page now resets the session requiring the user to login again.

So, it seems like the session is being setup correctly when the initial beacon calls are made. When I land on the second domain, it knows that I should be logged in as the proper user and associated with the proper session. However, what is resetting the session ID to 0 when the beacons are included on that page?

I've spun my wheels on this for awhile now and can't seem to get anywhere. Anyone have ideas of where to throw in some debug code or what might be flawed in my approach?

Cheers.

- luis

Luis Cruz

Friday 28 September 2007 6:53:34 am

Never mind... found the issue in the redirect code.

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.